none
Provisioning user with a Rules Extension and Exchange 2010 provisioning?

    Pergunta

  • HI 

    I have a simple question. My current client needs to provision users to their AD using a rules extension to calculate a DN. However, at the sametime I need to be able to provision users to an Exchange 2010 environment. How do i accomplish this, as i would need to specify two dlls in the Metaverse extensions in the synch engine options?

    

    terça-feira, 2 de abril de 2013 13:18

Respostas

  • Nested IIF's are possible, your custom expression should look something like this:

    IIF(Eq(Company,"X"),IIF(Eq(Department,"Y"),dn1,dn2),dn3)

    where

    dn1 occurs if company == x and department == y
    dn2 occurs if company == x and department !=y
    dn3 occurs if company != x

    You can continue nesting IIF's as many times as required.  I'd highly recommend using something like visual studio or notepad++ to make sure all your brackets much up correctly.

    • Marcado como Resposta aelric quinta-feira, 4 de abril de 2013 13:32
    quinta-feira, 4 de abril de 2013 00:27

Todas as Respostas

  • If it's the same MA you need to provision to, you can use the same MV extension.

    If you need to use different logic or different code for other Management agents, you could use logic known as MVRouter.

    For example :

    Example: Creating a Rules Extension from Multiple Sources
    http://msdn.microsoft.com/en-us/library/ms696018(VS.85).aspx

    There are more examples and sample codes out there.

    It all depends on what exactly you need, so I you provide a bit more information, the feedback will be more to the point.

    To provision Exchange, check this article:

    Exchange Provisioning using ILM 2007 and FIM 2010
    http://technet.microsoft.com/en-us/magazine/ff472471.aspx

    Kind regards,
    Peter


    Peter Geelen (Microsoft Belgium) - Premier Field Engineer Security & Identity

    [If a post helps to resolve your issue, please click the Answered"Mark as Answer" of that post or click Answered"Vote as helpful" button of that post.
    By marking a post as Answered or Helpful, you help others find the answer faster.


    terça-feira, 2 de abril de 2013 14:25
  • Hi Peter,

    To put it plainly, the client requires provisioning of users to specific OUs based on specific business rules. Unfortunately they are unable to articulate what those business rules are. I have looked at the OU structure and the departments, the office locations etc.. in an attempt to decipher some form of logic, but there is nothing consistent. So the only options open to me are.

    A) Develop a declarative rule that is able to accurately provision users to one of over 180 user OUs dependent on a range of criteria, i.e. 

    IIF(eq(department,"a"), and IIF(eq(city,"z") then CN=displayname + OU=u,ou=v,dc=z etc... etc... 

    Unfortunately I have yet to find any way in which to use multiple criteria in an "AndIF" scenario with declarative provisioning in FIM

    B) Custom dev a dll that does a look up of sharepoint list to determine the DN to be used during the provisioning into AD(Note only the DN is required as the rest is already done with declarative synch rules) again my problem here is that i also need to be able to provision exchange 2010 mailboxes

    Does that clarify the situation?

    terça-feira, 2 de abril de 2013 14:41
  • aelric;

    In addition to the other flows to make this happen which I assume you already applied, look at your Outbound Synchronization Rule, add a New Attribute Flow and do one similar to the following:

    And the Destination should be dn.

    Now no matter what department the user is in, they will be provisioned in the the respective OU in AD and you can do the same example for other criteria.


    Regards, John Atick

    terça-feira, 2 de abril de 2013 16:04
  • Hi, I think you misunderstand me. I know how to provision a user and how to set the DN. 

    the issue i have is working around the logic (or in this case that lack thereof) within the AD Ou structure that the client has implemented. 

    What i need to know is if there is a way to craft a custom expression that looks at multiple criteria with in an IIf statement.

    eg... this is not a valid IIF statement. Does anyone know of the correct syntax?

    IIF(Eq(Company,"x"),IIF(Eq(City,"y"),"OU=Users,OU=y,OU=x,OU=z,dc=XX,dc=XX,dc=XXX,dc=com","OU=Users,OU=z,OU=XX,OU=XXXX,dc=XX,dc=XX,dc=XXXX,dc=com"

    i.e. can I in declarative provisioning use multiple criteria to establish a DN ??

    terça-feira, 2 de abril de 2013 16:59
  • Hi aelric,

    1).You can create a one custom attribute in Metaverse for person object for eg."adOU".

    2). If company attribute is coming from the source you can create a rule extension and on import flow you can construct that adOU value like if company=="x" then "OU=Users,OU=z,DC=xxx,DC=com".

    3) You can then map this in AD outbound Sync rule as (source)"CN="+accountName+adOU=(destination)dn.

    Regards

    Deepak

    terça-feira, 2 de abril de 2013 17:29
  • Hi Deepak

    Thats a good idea. But still not a solution for my problem. I need to be able to use multiple criteria.

    so IIF(eq(Company,"X") and IF(Eq(Department,"y") then OU= blah blah blah....

    The problem is that the OU structure is not consistent neither is the business logic. For some OUs the criteria is company and department, for other OUs it will have to be department and city. So again the question that needs to be answered is ...

    Can i use multiple criteria in a declarative sync rule?

    quarta-feira, 3 de abril de 2013 07:55
  • If you can write down the criteria no matter how convoluted it is as a series of if then elseif elseif elseif elseif endifs, then you can write that as a IIF(.... condition in a sync rule.

    Another approach would be of course to move this logic into a C# custom workflow activity which pushes the calculated OU value given the company/department/whatever into a Workflow Parameter of the request. This Parameter can be used in the SR. Obviously this parameter creating activity is run before the SR adding activity in the workflow and your SR has to be hacked to utilise Paramters.

    quarta-feira, 3 de abril de 2013 10:15
  • Nested IIF's are possible, your custom expression should look something like this:

    IIF(Eq(Company,"X"),IIF(Eq(Department,"Y"),dn1,dn2),dn3)

    where

    dn1 occurs if company == x and department == y
    dn2 occurs if company == x and department !=y
    dn3 occurs if company != x

    You can continue nesting IIF's as many times as required.  I'd highly recommend using something like visual studio or notepad++ to make sure all your brackets much up correctly.

    • Marcado como Resposta aelric quinta-feira, 4 de abril de 2013 13:32
    quinta-feira, 4 de abril de 2013 00:27
  • Thanks... i knew there was an issue some where with my syntax. Just could frikkin get it.. 
    quinta-feira, 4 de abril de 2013 13:32